An Oracle White Paper June 2010

Oracle Enterprise Manager Grid Control 11g Release 1 Security Deployment – Best Practices

1

Introduction
The dynamic and complex nature of today‟s IT environments, the potential fallout of security breaches in terms of the financial implications and loss of goodwill coupled with stringent regulatory requirements make security a critical area of consideration for both business and IT managers. Whilst security considerations are important for standalone applications, the introduction of distributed system management applications can make it yet more challenging. Further, while standardized security best practices are available for databases and application servers, there aren‟t any standardized security benchmarks specifically for system management products. This document presents best practices for managing the security of Oracle Enterprise Manager Grid Control deployments. The recommendations in this document are based on our experience with both customer deployments and Oracle‟s own internal usage of Oracle Enterprise Manager. Some of the recommendations are based on the CIS (Center for Internet Security) Benchmark. The diagram below presents a schematic of Oracle Enterprise Manager architecture.

Figure 1 – Oracle Enterprise Manager Grid Control Architecture

2

3 . Auditing . Grid Control User Authentication 6.The best practices presented in this document are divided in 7 categories based on the major components of Oracle Enterprise Manager architecture The categories are 1. Preferred Credentials and Target Access 8. Securing the Oracle Management Repository (OMR) 2. Grid Control Privilege/Role Management 7. Encryption/Decryption 9. Securing the communication between Enterprise Manager Components 5. Securing the Oracle Management Service (OMS) 3. Securing the Oracle Management Agents(OMA) 4.

we offer the following recommendations specially to further secure the Repository 1. can modify or delete audit records stored in an operation system trail if the database version of Repository is 10gR2 or after i. a number of the best practices for securing the Oracle database itself are applicable to securing the Repository as well. Use syslog audit trail to minimize the risk that a privileged user. Since the Oracle Management Repository resides within an Oracle database. Additionally. such as a database administrator. please refer to the Oracle Database Security Checklist available at the following location – http://www. Set AUDIT_SYS_OPERATIONS to TRUE b. a.oracle. For 10gR2 DB. Audit all SYS (SYS is the username for the account that owns the schema) operations at the database level. please refer to the doc to obtain more information about syslog audit trail: 4 .pdf The above document also covers certain Operating System level steps that need to be performed to secure the database.com/technetwork/database/security/twp-security-checklist-database-1132870. For best practices on Oracle database security.Securing the OMR Securing your Oracle Enterprise Manager (EM) deployment involves securing all layers of the stack starting with the underlying operating system (OS) on which the OMS and Repository reside all the way up to the EM components themselves.

com/docs/cd/B28359_01/network. SELECT with GRANT OPTION with ALL_TABLES f.com/docs/cd/B19306_01/network.111/b28 531/auditing. Special privileges should be revoked from the PUBLIC profile that all database users are granted by default.oracle.oracle. Put the repository behind a firewall 5 .htm#CEGBIIJD 2. Revoke the following from PUBLIC (please see the Oracle Database Security Checklist document referenced above for more details on these privileges) a. EXECTUE with GRANT OPTION on DBMS_JOB h. Please refer to the following to obtain details: http://download.htm#CEGJJHJH ii. EXECUTE on UTL_TCP c. set AUDIT_SYS_LEVEL initialization parameter appropriately to use syslog audit trail. EXECUTE on UTL_FILE b. EXECUTE with GRANT OPTION on DBMS_SCHEDULER 3.102/b14 266/auditing. SELECT with GRANT OPTION with ALL_TAB_PRIVS g. EXECUTE on UTL_SMTP e. a. Restrict network access to the host on which the Repository resides.http://download. EXECUTE on UTL_HTTP d. For 11g DB.

htm#i11340 09 Here are the additional recommendations that we offer to secure OMSs: 6 . Please refer to the guideline of Secure the Network Connection for more information: http://download. Most best practices for securing the Oracle WebLogic Server are applicable for securing the OMS as well.oracle.b. tcp.1111/e13705/practices. Check Network IP Address: The Listener should be configured to accept requests only from OMS nodes by adding the following parameters into $TNS_ADMIN/protocol.com/docs/cd/B28359_01/network.invited_nodes = (list of IP addresses) The first parameter turns on the feature whereas the latter parameters respectively deny and allow specific client IP addresses from making connections to the Oracle listener.validnode_checking =YES iv.com/docs/cd/E12839_01/web. tcp. Security aspects that are unique to OMS are presented in this document.111/b28531/guidelines. Enable Connection Rate Limiter feature of Oracle listener for OMR to reduce Denial-of-Service attacks on the listener.oracle. htm#CHDJFEFF 4. tcp. Please refer to the following documentation for securing the Oracle WebLogic Server. Please refer to the following link for detailed information: http://www.oracle. http://download.com/technetwork/database/enterpriseedition/oraclenetservices-connectionratelim-133050.ora file iii.pdf Securing the OMS The OMS runs on top of the Oracle WebLogic Application Server.excluded_nodes = (list of IP addresses) v.

This recommendation is also applicable for securing the Repository and the Agents. Harden the OMS machines themselves by removing all unsecure services such as rsh. Put OMSs behind firewall to restrict network access. 3.1. telnet. Change all the passwords used during the installation. 5. We also recommend that you stop nonessential services. This recommendation is also applicable to the machine that hosts the Repository.org ). Make sure that all the Oracle homes are patched up to the latest CPU (Critical Patch Update) level. and rexec on Linux platform (For the list of unsecure services and how to remove them on different platforms.b 4. for example.cisecurity. Please refer to Chapter 19 of Advanced Installation and Configuration Guide for detailed information of firewall setup. Harden all Oracle homes of all the OMS installations a. b. this minimizes the „attack footprint‟ of the host but reduces resource consumption by services that are not required. Security Alerts and CPUs that are downloaded but not yet applied will trigger EM Alerts. EM will download new Security Alerts and CPUs automatically and place them in the Patch Cache. please refer to Securing the Repository Section 2. freeing up system resources to deliver the best performance from the OMS. SYSMAN and My Oracle Support credential‟s password. please refer to CIS benchmarks at www. 7 . Look specifically for alerts related to OMS. SYS. For SYSMAN password change. Setup your My Oracle Support credentials to detect new Security Alerts and CPUs. rlogin. Consider protecting the software running in these Oracle homes through protecting the host using a firewall 2. Restrict OS access by supporting only indirect or impersonation-based access to these Oracle homes by using utilities such as sudo or PowerBroker.

In cases where you upgrade your installation to EMGC 11 Release 1.Securing the OMA 1. any un-secure request from the OMS is rejected by the agent. Similarly. 4. 2. To protect against the possibility of users installing unauthorized agents. a. If the pre-upgrade environment is already secure-locked. 3. the upgrade retains the secure but does not secure-lock OMS. Install the latest CPUs. 8 .the upgrade retains the secure-lock mode between OMS and Agent. All OMSs should run in “secure-lock” mode. Brand new EM Grid Control (EMGC) 11g Release 1 installations are secure locked by default. Install the agents via Grid Control‟s Agent Deploy which uses the secure SSH protocol. Install the agent as a separate user from OMS installation and support only impersonation based access to this account such as sudo or PowerBroker post installation. This helps safe-guard the management system from any malicious „man-in-the-middle‟ attack happening from within the infrastructure. Securing the communication between Enterprise Manager Components 1. For more details on this. use one-time registration passwords that have a reasonable expiry date instead of persistent registration passwords. please see recommendation #2 in the Securing the OMS section above. All requests from un-secure agents are rejected by the OMS. “secure-lock” mode means that the communication can be only through HTTPS port (HTTP port is locked). if the pre-upgrade environment is secured. This ensures that the OMS-Agent communication is always encrypted and mutually authenticated.

Please configure OMS and agents to support only TLS v1 protocol.SSL. b. 9 . after you upgrade your installation to EMGC 11g Release 1. In cases the pre-upgrade environment is not secure-lokced. which is the successor of SSL v3. Brand new EM Grid Control (EMGC) 11g Release 1 installations are secure locked by default. for the communication. Stop the OMS by entering the following command: emctl stop oms 2. Please follow the following steps to configure OMS for TLS v1 protocol only 1.sh.To check the status if OMS is run in secure mode. run the following command: emctl status oms –details Run the following command to check if the agent is run in secure mode: emctl status agent –secure To secure lock the communication between OMS and agent run the command: emctl secure lock [-upload] Note that once OMSs are running in secure-lock mode. Enter the following command: emctl secure oms -protocol TLSv1 3.security. Append -Dweblogic. you need to run the following command to secure-lock the console access: emctl secure lock [-console] c. unsecure agents are not be able to upload any data to the OMSs. If this property already exists. i. This also ensures the console access from browser is secure over SSL/TSL. update the value to TLS1.protocolVersion=TLS1 to JAVA_OPTIONS in Domain_Home/bin/startEMServer.

SSL_RSA_WITH_RC4_128_MD5 2. SSL_RSA_WITH_RC4_128_MD5 7. You can edit the parameter in SSLCipherSuites $AGENT_HOME/sysman/configure/emd. Restart the OMS with the following command: emctl start oms ii. SSL_RSA_WITH_RC4_128_MD5 10 . SSL_RSA_WITH_AES_256_CBC_SHA 3. please edit SSLCipherSuite parameter in $INSTANCE_HOME/WebTierIH1/config/OHS/ohs1/httpd_em. the following cipher suites will be allowed for the communication 1. SSL_RSA_WITH_RC4_128_SHA 8.conf files with the appropriate values. if not specified. SSL_RSA_WITH_AES_128_CBC_SHA 2.4. Here are the default values: 1. Please enable the strong cipher suites for the communication between OMS and agent.properties to configure the strong cipher suites to be used for agent SSL/TLS communication. i. SSL_DH_anon_WITH_RC4_128_MD5 5. SSL_RSA_WITH_3DES_EDE_CBC_SHA ii. The following are supported strong cipher suites. To restrict the strong cipher suites used by OMS.co nf and ssl. To configure an agent to support only TLS v1 protocol while the agent listens as a server. SSL_DH_anon_WITH_3DEC_EDE_CBC_SHA 4. SSL_RSA_WITH_RC4_128_SHA 3. By default. please update the following entry in $AGENT_HOME/sysman/config/emd. allowTLSOnly=true d. 1. SSL_RSA_WITH_3DES_EDE_CBC_SHA iii.properties file as 1. SSL_DH_anon_WITH_DES_CBC_SHA 6.

for example TNS_ADMIN/sqlnet.encryption_client=REQUESTED iii. oracle.enableEncryption=true ii. Issue command “emctl set property –name <Property Name> -value <Value>” to set the following properties with the values i.emRep.ht m#i634533 11 . SSL_RSA_WITH_DES_CBC_SHA 5. Add the following to the Repository Oracle home. SSL_RSA_WITH_3DES_EDE_CBC_SHA 4. 3.2.net.net. Enable Advanced Security Option (ASO) between OMS and Repository. TLS_RSA_WITH_AES_256_CBC_SHA 2. SSL_RSA_WITH_RC4_128_SHA 3.net.ora i.crypto_checksum_client=REQUESTED v.crypto_checksum_types_client={MD5} b.sysman.111/b28530/asoappa. SQLNET. http://download. Please refer to Section “Configuring Third Party Certificates” in Chapter 2 of Administrator‟s Guide for detailed information. oracle. TLS_RSA_WITH_AES_128_CBC_SHA 6.encryption_types_client={DES40C} iv. ASO ensures that the data between OMS and Repository is secure both from confidentiality and integrity standpoints.com/docs/cd/B28359_01/network. oracle.oracle.ENCRYPTION_SERVER = REQUESTED Please refer to the following link to obtain detailed information about the parameters listed above. oracle.dbConn.net. a. Use a certificate from well-known Certificate Authority (CA) to secure OMS-Agent communication and console access to take advantage of the well-known trusted certificates with different expiry and key size. oracle.

you can enable it by executing: UPDATE MGMT_CREATED_USERS SET SYSTEM_USER=’1’ WHERE user_name=’SYSMAN’ 3. Disable SYSMAN logging into console.oracle. and grant/revoke privileges to/from other users. Create a separate super administrator and prevent SYSMAN from logging into console by executing the following SQL statement on the Repository: UPDATE MGMT_CREATED_USERS SET SYSTEM_USER=’-1’ WHERE user_name=’SYSMAN’ After disabling SYSMAN from logging into console. EM Super Administrators have FULL privileges on targets/reports/templates/jobs and these are the only users who can create other users and Super Administrators.111/e16790/security3.com/docs/cd/E11857_01/em.Grid Control User Authentication 1.com/docs/cd/E11857_01/em. Oracle Enterprise Manager Authentication a. SYSMAN should be treated as the schema owner instead as an EM Super user. Using the 12 . Use Oracle Single Sign-on (SSO) or Enterprise User Security (EUS) based authentication to take advantage of centralized identity management across the enterprise Please refer to the following links for detailed information about how to configure SSO andEUS with EM authentication respectively. http://download.111/e16790/security3. So Super user privilege should be granted with caution.htm #BABFIACG http://download.oracle.htm #BABCEGII 2. Reduce the number of Super users. SYSMAN is the schema owner and is hence more privileged than EM Super Administrators.

vi. vii. digit and punctuation character. ii. iv. 13 . its minimum length is 8. You can create customized password profiles with different values to meet your special requirements. iii.following query to get the list of super users: SELECT grantee FROM MGMT_PRIV_GRANTS WHERE PRIV_NAME = ‘SUPER_USER’ 5. for example. FAILED_LOGIN_ATTEMPTS=10 PASSWORD_LIFE_TIME=180 PASSWORD_REUSE_TIME=UNLIMITED PASSWORD_REUSE_MAX=UNLIMITED PASSWORD_LOCK_TIME=1 PASSWORD_GRACE_TIME=7 PASSWORD_VERIFY_FUNCTION=MGMT_PASS_VERIF Y The out-of-box password verification function MGMT_PASS_VERIFY will ensure that the password cannot be same as username. a new password verification function to meet a stricter password complexity requirement. Use password profiles to enforce the password control of EM Administrators while Repository-based authentication is used: a. v. and it must have at least one alphabet. There is an out-of-box password profile MGMT_ADMIN_USER_PROFILE with the following parameter settings for EM Administrators: i.

In a single OMS instance environment. the command only updates SYSMAN password in OMS‟s credential store. emctl config oms –change_repos_pwd You are prompted for old and new SYSMAN passwords. a. Use the following command to change MGMT_VIEW‟s password emctl config oms –change_view_user_pwd [-sysman_pwd <sysman_pwd>][-user_pwd <user_pwd>][-auto_generate] In multiple OMS instance environment. emctl config oms –change_repos_pwd -change_in_db In multiple OMS instances environment. you only need to run the command at one OMS instance. In addition. a random password will be generated for MGMT_VIEW and no one knows the password. Please note that if “-auto_generate” is chosen. run the following command to change SYSMAN password in both Repository and OMS configuration file. out-of-box both users are associated with MGMT_INTERNAL_USER_PROFILE. To avoid the service interruption due to the lockout of internal users: SYSMAN and MGMT_VIEW. Change SYSMAN and MGMT_VIEW users‟ password on a regular basis. c. b. emctl config oms –change_repos_pwd [-change_in_db] [-old_pwd <old_pwd> [-new_pwd <new_pwd> [-use_sys_pwd [-sys_pwd <sys_pwd>]] Parameter change_in_db controls if the password in Repository will be changed. The following command helps you change the SYSMAN password. run the command above at least at one OMS instance and run the following command at all other OMS instances to just update the SYSMAN password in OMS‟s configuration file. Without this parameter. to avoid sessions hanging or taking a 14 . You will be prompted for the old and new SYSMAN passwords.6. whose password parameters are all set to UNLIMITED.

MGMT_INTERNAL_USER_PROFILE‟s kernel parameters are set to default. Grant system privilege f. Revoke role d. Use privilege delegation utilities such as sudo or PowerBroker to access targets. Grid Control Privilege/Role Management 1. Grant role b. Grant job privilege h. Create Meaningful roles and only grant roles instead of privileges 2. Grant target privilege c. Managing role grants is simpler than managing privilege grants. 15 . Grant roles to users instead of granting privileges to enable Role Based Access Control (RBAC). revocation. Revoke job privilege Preferred Credentials and Target Access 1. run jobs and collect user-defined metrics. Revoke system privilege g. 4. a. Revoke target privilege e.long time due to resource consumption limit. Use Privilege Propagation Group to simplify the privilege assignment. Monitor the privileges grants on a regular basis and also keep track of which users are exercised what privileges by enabling audit. 3. which is unlimited as well. and administration along with group management. Follow the Principle of Least Privilege to grant only the minimum set of privileges a user needs for carrying out his/her responsibilities by granting the fine-grained privileges/roles only when needed.

Encryption/Decryption 1.RADIUS or Kerberos authentication for host target access via Pluggable Authentication Module(PAM). Follow the process outlined below to secure the encryption key: a.target_guid 3. And it only needs to be in the Repository when the Repository is upgraded.. which is stored in the Repository.g.tc. Backup the encryption key to a file by running the following command and keep the encryption file on a separate machine securely. e.target_guid=t. SYSMAN.user_name. Do not set preferred credentials for group/common accounts. Take advantage of the benefits such as centralized identity storage and administration brought by LDAP. Moreover. Further. By storing the key separately from EM schema. If preferred credentials are set for common accounts. Note 422073. The following SQL statement can be used to report the list of users who have the preferred credentials set: SELECT t.2. Secure the encryption key: Encryption key is the master key that is used to encrypt/decrypt sensitive data. If the encryption key is lost or corrupted. MGMT_TARGETS t WHERE tc. such as passwords and preferred credentials.target_name. 16 . the EM schema owner should not have access to the OMS/Repository Oracle homes.1 shows how to configure Agent for PAM and LDAP. we ensure that the sensitive data such as Preferred Credentials in the Repository remain inaccessible to the schema owner and other SYSDBA users (Privileged users who can perform maintenance tasks on the database) in the Repository. the encrypted data in the repository is unusable. keeping the key from EM schema will ensure that sensitive data remain inaccessible while Repository backups are accessed.credential_set_name FROM MGMT_TARGET_CREDENTIALS tc.tc. The key itself is originally stored in the Repository and it is removed automatically from the Repository once the installation is done. then the accountability of the use of these credentials is lost.

for all oprtations use ALL" 17 .ora 2. if the operation does not automatically copy the emkey back to Repository (or remove it from the Repository afterwards). emctl config emkey –remove_from_repos You will be prompted for SYSMAN password. 3. Enable audit for all security critical operations by issuing the following EMCLI verb: emcli enable_audit Please note that you have to restart OMSs if your GC is 10g Release 5. While emkey is required to be existing in the Repository for some operations.for all oprtations use ALL" -operations_to_disable="name of the operations to disable. please use the following EMCLI verb: emcli update_audit_settings -audit_switch="ENABLE/DISABLE" operations_to_enable="name of the operations to enable.emctl config emkey –copy_to_file_from_credstore –emkey_file emkey. To enable audit for a subset of audited operations. please copy it back to the Repository and after the operation remove it from the Repository by following the procedure below: a. Remove the key from the Repository once the opeation is done. Auditing 2. b. For 11g Release 1. restarting is not needed. Copy the encryption key back into the Repository by using the following command: emctl config emkey –copy_to_repos You will be prompted for SYSMAN password.

Please also make sure there is enough space in the directory for the audit log files 18 . the audit records are kept in MGMT$AUDITLOG table in the Repository.Please refer to section “Setting up for Auditing System for Enterprise Manager” in Chapter 2 of Administrator‟s Guide for the list of operations that are audited by Enterprise Manager. Login in to Grid Control as a Super Administrator b. Please use GUI tool in Grid control to monitor audit data. Go to “Setup” c. Once audit is enabled. Scroll down the page to “Audit” section and click the link “Audit Data” then you will be directed to the page to monitor audit data. emcli update_audit_settings –audit_switch=”ENABLE” – operations_to_enable=”LOGIN. Configure the externalization service via EMCLI verb update_audit_settings to externalize the audit data from the Repository to an external file system on a regular basis. The following command will show you the list of operations that can be audited by Enterprise Manager emcli show_operations_list And the following command will only enable Enterprise Manager to audit user login and logoff opeations in Grid Control. Here are the steps to monitor audit data in Grid Control: a. Click Tab “Management Services and Repository” d.LOGOUT” 4. 5.

and the file size will be 1M bytes each. Oracle Enterprise Manager provides a robust set of security features and capabilities starting with secure framework level communication to a secure user model.. emcli update_audit_setting -directory="EM_DIR" -file_prefix="emgc_audit" -file_size="1000000" -data_retention_period="60" 6. directory_name: The name of the database directory that is mapped to the OS directory. Wherever possible. Achieve Separation of Duties by restricting the access to the directory where the externalized audit data is stored. the entire system is as vulnerable as its weakest link. we attempt to incorporate best practices learned in the field into the product itself. Yet.htm#insert edID8 Conclusion It is difficult to overstate the importance of security. This is particularly true for EM given its wide-reaching nature.111/e16790/security3.com/docs/cd/E11857_01/em.oracle. file_size: The size of the file the data is written to. The rich set of target security policies shipped out-of-box are an example of this effort. http://download. data_retention_period: The period for which the audit data is to be retained inside the repository. No EM users should have access to the externalized audit data. The 19 .emcli update_audit_settings -file_prefix=<file_prefix> directory_name=<directory_name> -file_size = <file size> data_retention_period=<period in days>     file_prefix: The prefix of the file which contains the audit data. The following example shows that the audit data will retained in the Repository for 60 days and once expurged the data will be stored in the OS directory that corresponds to database directory EM_DIR with filenames prefixed with emgc_audit. Please refer to the Chapter 2 of Administrator‟s Guide for more information about Oracle Enterprise Manager Auditing.

20 . We encourage you to take advantage of these recommendations to make your EM Deployments robust from a security standpoint.best practices presented above are designed to help you systematically enhance the overall security of your EM deployments.

without our prior written permission.506. This document is not warranted to be error-free. This document may not be reproduced or transmitted in any form or by any means. Ltd. Opteron.Oracle Enterprise Manager Grid Control 11g Release 1 Security Deployment – Best Pracitces June 2010 Author: Huaqing Wang Contributing Authors: Ravi Pinnamaneni Andrew Bulloch.S. including implied warranties and conditions of merchantability or fitness for a particular purpose. Oracle and/or its affiliates. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. Worldwide Inquiries: Phone: +1.7000 Fax: +1. Other names may be trademarks of their respective owners. AMD. nor subject to any other warranties or conditions. whether expressed orally or implied in law. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International.7200 oracle. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. UNIX is a registered trademark licensed through X/Open Company.650. and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices.506. the AMD logo. This document is provided for information purposes only and the contents hereof are subject to change without notice. All rights reserved. Inc. 0110 Copyright © 2010. Werner De Gruyter Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores. electronic or mechanical.com Oracle and Java are registered trademarks of Oracle and/or its affiliates.650. CA 94065 U. . for any purpose.A.